The goal of vulnerability classification is to have a temporary embargo on public information exchange when a security vulnerability has been identified, otherwise the system may be under threat. This page covers the security scheme proposed for use in OPNFV JIRA.
Security Levels in JIRA
An overview of JIRA security can be found in Atlassian's documentation:
An issue security level is a named collection of users. Issue security levels are created within issue security schemes, which are then associated with projects. Once an issue security scheme has been associated with a project, its security levels can be applied to issues in that project (note, sub-tasks will inherit the security level of their parent issue). Those issues will then only be accessible to members of that security level.
The current approach is to define such a security scheme for each project. At this time the only choices for security levels are:
- None: anyone, including public, anonymous visitors, granted access.
- Embargo: specific authenticated and authorized users only granted access.
Security Level Access
The following security scheme defines who gets access to a project specific security level once assigned.
Security Scheme: Embargo
- Project Lead
- Current Assignee
- Group (opnfv-gerrit-securityscanning-submitters)
- Group (opnfv-gerrit-PROJECT-submitters) - where PROJECT is the name of the project in question.
Protecting an Issue
Security levels can be assigned when an issue is being created, right in the Create Issue dialog box.
Alternatively an issue's security level can be modified at any time through the Edit Issue action.
Requesting Embargo Security Scheme
Each PTL is required to request a security scheme for their project. This is done by sending a request for a security scheme for the project to firstname.lastname@example.org.